I recently read some posts on Fred Wilson’s blog and it was impressive that he writes every day.
I’ve fallen into the trap of collecting raw material and then waiting to find time to write a 2000-word essay on some topic of importance to me. But, I think it was Steve Jobs who said the best time to do anything was 20 years ago and failing that – best time is now. So now – I will start writing every day and attempt to write on topics of interest to my customers, not me.
We are working on automating patient compliance in medical device clinical trials. Patient compliance is critical for the success of medical device studies.
When we mean success – we mean proving or disproving the scientific hypothesis of the study. Efficacy – is the device an effective treatment for the indication?
Safety – is the device safe for patients?
When we say patient compliance automation we mean the combination of 4 things which depend on each other:
1.Reinforcing patient compliance to the protocol – for example reporting on time and taking the treatment on time. AI-based reinforcement uses data from the patient’s behavior and similar behavior to keep the patient on track without driving him crazy with text or push messaging.
2.Automated monitoring of compliance – using clinical measures and the treatment schedule for the study. An example of a clinical measure is the number of capsules a patient took. An example of treatment schedule is taking the capsules every day before 12.
The output of automated monitoring is real-time alerts and compliance trends to the study team.
3. Automate patient compliance reinforcement using and adaptive control process that takes fresh data from the alerts to make decisions on how to reinforce the patient and keep them on track.
4.In order to automate monitoring and do AI-based reinforcement of patient compliance, you need fresh and up-to-date data.
There is a lot of work being done by startups like Medable, Litmus Health and Flaskdata.io (disclaimer – I am the founder of Flaskdata.io) but it’s a drop in the ocean of 24,000 new clinical trials every year.
Fundamentally – the problem is that the clinical trials industry uses generic solutions developed 40 years ago to assure quality of data-entry from paper forms.
The generic solution used today involves waiting 1-3 days for site data collection to the EDC, and 4-6 weeks for a site visit and SDV and then another 1-12 weeks for a central monitoring operation in your CRO to decide that there was a protocol violation.
You don’t have to be a PhD data scientist to understand that you cannot assure patient compliance to the clinical protocol with 12-week-old data.
The only explanation for using 40-year-old generic solutions is that the CRO business model is based on maximizing billable hours instead of maximizing patient compliance.
It seems that if you want to achieve real-time detection and response and AI-based patient compliance reinforcement, you have to disrupt the CRO business model first.
Invisible gorillas and detection of adverse events in medical device trials
What is easier to detect in your study – Slow-moving or fast moving deviations?
This post considers human frailty and strengths.
We recently performed a retrospective study of the efficacy of Flaskdata.io automated study monitoring in orthopedic trials. An important consideration was the ability to monitor patients who had received an implant and were on a long term follow-up program. Conceptually, monitoring small numbers of slow-moving, high-risk events is almost impossible to do manually since we miss a lot of what goes on around us, and we have no idea that we are missing so much. See the invisible gorilla experiment for an example.
One of patients in the study had received a spinal implant and was on a 6 month follow-up program dived into a pool to swim a few laps and died by drowning despite being a strong swimmer. Apparently, the pain caused by movement of the insert resulted in loss of control and a severe adverse event. The patient had disregarded instructions regarding strenuous physical activity and the results were disastrous.
It seems to me that better communications with the patients in the medical device study could have improved their level of awareness of safety and risk and perhaps avoided an unnecessary and tragic event.
Subjects and study monitors are both people.
This might be a trivial observation but I am going to say it anyhow, because there are lessons to be learned by framing patients and monitors as people instead of investigation subjects and process managers.
People are the specialists in their personal experience, the clinical operations team are the specialists in the clinical trial protocol. Let’s not forget that subjects and study monitors are both people.
Relating to patients in a blinded study as subjects without feelings or experience is problematic. We can relate to patients in a personal way without breaking the double blinding and improve their therapeutic experience and their safety.
We should relate to study monitors in a personal way as well, by providing them with great tools for remote monitoring and enable them to prioritize their time on important areas such as dosing violations and sites that need more training. We can use analytics of online data from the EDC, ePRO and eSource and connected medical devices in order to enhance and better utilize clinical operations teams’ expertise in process and procedure.
A ‘patient-centered’ approach to medical device clinical trials
In conditions such as Parkinsons Disease, support group meetings and online sharing are used to stay on top of medication, side effects, falls and general feeling of the patient even though the decisions on the treatment plan need to be made by an expert neurologist / principal investigator and oversight of protocol violations and adverse events is performed by the clinical operations team. There are many medical conditions where patients can benefit by taking a more involved role in the study. One common example is carpal tunnel syndrome.
According to the findings of an August 3rd, 2011 issue of the Journal of Bone and Joint Surgery (JBJS), patients receiving treatment for carpal tunnel syndrome (CTS) prefer to play a more collaborative role when it comes to making decisions about their medical or surgical care.
Treatment of carpal-tunnel syndrome which is very common and also extremely dependent upon patient behavior and compliance is a great example of the effectiveness of “shared decision-making, or collaborative, model” in medicine, in which the physician and patient make the decision together and exchange medical and other information related to the patient’s health.
As the article in JBJS concludes:
“This study shows the majority of patients wanted to share decision-making with their physicians, and patients should feel comfortable asking questions and expressing their preferences regarding care. Patient-centered care emphasizes the incorporation of individual styles of decision making to provide a more patient-centered consultation,” Dr. Gong added.
In a ‘patient-centered’ approach to medical device clinical trials, patients’ cultural traditions, personal preferences and values, family situations, social circumstances and lifestyles are considered in the decision-making process.
Automated patient compliance monitoring with tools such as Flaskdata.io are a great way to create a feedback loop of medical device clinical data collection, risk signatures improvement, detection of critical signals and communications of information to patients. Conversely, automated real-time patient compliance monitoring is a a great way of enhancing clinical operations team expertise.
Patients and study monitors are both people.
Why EDC is essential for any medical device clinical trial
This is a post David wrote a while back and it still seems relevant. If you would have asked me 2 years ago – I would have told you that in 2018, no one would be doing paper medical device clinical trials the same way that no one does paper accounting. I would have thought that logic would prevail considering the advantage of using automation and technology instead of using your Chief science officer to manually enter data into Excel.
Medical science is the foundation for innovative medical devices. Taking medical science and developing a medical device product requires translating basic science into technology. This is self-evident.
So why do so many innovative medical device vendors conduct their clinical trials using paper? Damn if I know. Using paper for medical device clinical trials is somewhere between penny-wise and pound foolish and plain dumb.
Every year, 20,000 clinical trials are performed. An electronic data capture (EDC) system is quickly becoming adopted as the modern standard for monitoring in clinical trials. EDC solves the problems that are inherent to traditional, paper-based methods of data capture. During medical device clinical studies, the accessibility to real-time data capture and storage during conduction is key to performing a study that is cost efficient, and effective in generating results.
Paper-based = slow and costly
EDC = quick and efficient
Do not forget these simple equations, as they should become your mantra.
As seen below, the number of medical device clinical trials conducted is like the global population; it only keeps increasing. The pressure is on for product developers to conduct studies in the most expedient fashion possible, and collecting data that is not only pertinent and useful, but is clean and devoid of doubt concerning its accuracy.
Thanks to technological advances (read: EDC), on-site monitoring and clumsy, paper-based data storage are going the way of the dodo bird. The use of EDC as a basis for automating patient compliance during medical device clinical trials is quickly developing as more an more medical devices become connected via mobile and home wireless networks.
Paper-based data capture systems are irrelevant for connected medical clinical trials.
90% of drug development costs are invested in clinical trial conduction. EDC systems facilitate automation of patient compliance during the duration of the medical device trial. And while not every medical device trial uses connectivity and automated patient compliance monitoring, there is an increasing understanding that the direction is digital and not paper.
The majority of the public values clinical trials for the healthcare industry, as seen below. Implementing an EDC system for medical device clinical trial monitoring has proven to reduce study costs by 59%. So, ask yourself, what are you waiting for?
As seen above, the value of clinical trials is understood by the public, and as clinical trials continue to grow in scope of variables and number of participants, they require a more efficient means of data capture in order to cut the costs involved in monitoring. EDC systems provide exactly that. Here we will touch upon why an EDC system is becoming an essential for clean and efficient risk-based monitoring in clinical trials.
Medical device monitoring data is available in real-time
Using an EDC system affords the opportunity for study monitors to receive data entered by clinicians as soon as it is collected. By using hand held devices, such as a tablet, that are logged into an EDC system, makes risk-based monitoring a breeze. No longer does one need to record data on a clipboard, and then duplicate the same data into an on-site hard drive. This means that monitors are getting their hands on information the second it is captured.
Simply put, the faster that you get data into the hands of your monitors, the greater the efficiency of the study.
Increased study efficiency through cloud notifications
Recently, for the past 20 years or so, medical device clinical trials have been substantially increasing in scale and complexity as they continue to become more valued and salient as a means of biomedical development. Often, they involve a sizable number of people responsible for entering data, and study monitors assigned the task of monitoring specific variables and patient compliance to the protocol.
An EDC system automates the appropriate delivery of fresh and high-quality data from investigational sites, patients and connected medical devices. Whoever needs to receive whatever data variables from a clinician are notified in their personal account via the cloud. Not only does cloud-based EDC keep monitors informed in real time, but the organization and delivery properties ensure that the right monitors are receiving the right data, increasing efficiency in increasingly complex studies.
When data is entered after capture, an EDC system can automate from the entry user the delivery of data to the assigned monitor. Email alerts can also be integrated into the EDC system, so that whenever data is entered for review by a monitor, they are informed even if they are not logged into the EDC system.
Reduced monitor travel costs with remote compliance monitoring
Not only does using EDC keep monitors informed of new captured data as soon as it happens, reducing subject risks, but monitors can perform their tasks from abroad, saving travel time and expenses. The features of using a cloud-based EDC system are nearly endless, but the decentralizing of on-site data monitoring is one of its greatest boons.
Monitors that work from home going to be willing to receive lower salaries, and people are generally happier when they can work from home. Your study will save time and money by an increased retention rate in monitor personnel, that are willing to work with a clinical trial sponsor, study after study.
Further, and this is a benefit from remote monitoring of your medical device clinical trial that most would not think of, consider reduced human traffic at your study site. The less people you have at your study site the better, as there is simply less for on-site study managers to focus on. This is a minor benefit of an EDC system, compared to the speed of data delivery with EDC, but a benefit nonetheless.
Also consider that remote monitoring can allow the outsourcing of monitors. If your study site is located in California, but there’s a team of specialists in India, willing to perform exceptional quality of monitoring for lower salaries, of course you are not going to fly them over to work for you; cost prohibitive. If you are using the standard on-site monitoring method that comes with paper-based systems, your resources are limited to only those that can geographically travel to your study site.
Cleaner, consistent data submission to monitors
EDC systems can use a study-specific standardized data collection form, reducing errors in collection and delivery to monitors. Consistency is key to running a smooth, hassle-free medical device clinical trial. By using standardized electronic data collection forms, your study will erase the possibility for inconsistent data submission from data managers to monitors.
Paper-based data capture systems may seem familiar and comfortable to clinicians, and making the transition to an EDC system may seem like a plunge into unknown territory, but the data is plainly cleaner when conducting a study with EDC. The deficit of errors and omissions that are caused by implementing EDC are a tremendous ROI for your study. Consider the following:
For example, in a paper-based system, data is recorded by hand, and even something as seemingly trivial as handwriting comes into play and can muddle data. Not every clinician will have the best penmanship, so this opportunity to corrupt data is entirely circumvented by using an EDC system.
A more frequent, and damaging, corruption of data that occurs when using the standard paper-based system are data errors and omissions when recording data. People make mistakes, for whatever reason. It is natural, and bound to happen. Say, for instance, that you have a subject XY-1001-9, for which the clinician is collecting data; it is very easy to write YX-1001-9, XY-101-9 or XY-1010-9 if a clinician is distracted, or maybe just operating on little sleep from the previous night.
By working with an EDC system with standardized data collection forms, the above scenarios are entirely avoided. That being said, standardized forms are not going to write themselves. During the planning stage of your study, devote time to organizing and developing the standardized form model you are going to use for each subject in your study to reduce errors and omissions. In the long run, your ROI will go through the roof.
However, even in an EDC system, mistakes can be made. No system is entirely error-proof, especially when being implemented for the very first time. When a mistake inevitably does happen, it is far less of a headache to solve and prevent from recurring using an EDC system. For starters, FDA compliance adherence measures should already be in place at the hands of the EDC software vendor. As compliance standards are modified by the FDA, they can be updated in the EDC system without a hitch. When data entry errors occur, they can be addressed by programming the software to recognize proper form entries.
Another feature of EDC systems for reducing errors and omissions is data entry recognition standards. Remember the subject number examples? If you write something down on paper, there is no real way to tell if you got it right the first time, than somebody else telling you who has noticed that you have made a mistake, and then correcting it themselves. Every field of the EDC user interface can be programmed to recognize whether the data entered was in the proper format, and whether any fields were skipped or not submitted.
An EDC system also reaps tangible data capture benefits for studies using subject-submitted data. Many subjects are not experts in clinical trial data management and entry, and unless you are conducting a study into only a single variable, patient submitted data, which saves time and costs, is an impractical approach to collecting study data. However, whilst being cloud-based, EDC allows any subject with a smartphone, tablet or computer the ability to submit data, at the very moment it is noticed and measured, mitigating subject risks and saving on study personnel expenses.
For user submitted data, the standardized data collection form with checks in place for data submission ensures that the subject will not make a mistake when submitting data. You will be able to get by and hire less clinicians for future studies, a further cost saver of EDC.
Facilitating future medical device studies
After you take the plunge (and please do, ASAP) into EDC and forego paper-based data capture, the benefits will be noticed immediately for your next clinical trial. Not only will every facet of your data capture and monitoring be smooth sailing, but think of the future studies you will be sponsoring, and how they will benefit.
Not only does EDC facilitate the aforementioned features, but after you and your study personnel (and subjects if applicable) are trained and familiarized with the use of the EDC system you have chosen, future studies will be up and running faster than you can say “outdated, paper-based data capture.”
EDC systems significantly cut the time spent during the planning and preparation phases of a medical device clinical trial. Consider how while you are planning the variables and factors to be measured, you can instantly enter them into the software, saving time and money that would otherwise be spent on designing paper forms and making copies. EDC systems are flexible, and if study personnel is trained properly by the software vendor from the get go, require little maintenance for their design.
What are you waiting for?
Hopefully you now have a better understanding of how vital an EDC system is for an efficient medical device clinical trial, and how many headaches it alleviates for monitoring clinical trials. When you are looking for a vendor, ask how they can eliminate rework and detect problematic trends in real-time. Ask them if they require expensive third-party analytics and if they limit the number of users that can use risk-based monitoring tools and make sure they have a great training program. Enjoy your streamlined future studies.
Strong patient adherence in real life starts with strong people management
Patient adherence in real-life starts in clinical trials determining the safety, side effects and efficacy of the intervention, whether a drug or a medical device.
Like any other industry – success in clinical trials is all about the people.
The hugely successful movie – “Hidden figures” tells the story of the gifted black women mathematicians who played key roles in the NASA space program in the Mercury and Apollo space programs. It is a moving, inspiring and (sometimes hilarious) story of how NASA, a dominantly white male organization came to accept diversity during American desegregation.
By comparison, the Israeli life science industry lives in a different time and place and women are in leadership roles at all levels of Israeli life science companies.
In this 4 part series of articles, we will tell the story of the gifted Israeli women who are the “Hidden figures” of the Israel biomed/biotech industry.
Women comprise about 65 percent of Israel’s biotechnology workforce, and about 13 percent of top management positions in companies listed on the Tel Aviv Biomed index. In order to find out what attracts Israeli women into this globally male dominated field, I talked to a number of well-respected women, tried to learn about their story, get acquainted with their mindsets and solve the “mystery” of Israeli women invading this field.
(IQVia is the world’s largest provider of biopharmaceutical development and commercial outsourcing services ).
Hagit has a great story of a dream come true for a person who was not afraid to make a risky decision at the right time and was able to build a career in the biopharmaceutical industry literally from scratch.
A widely neglected factor in cost-effective risk-based clinical trial monitoring is availability and accessibility of data.
RBM methods used by a central clinical trial monitoring operation that receives stale data (any data from patients that is more than a day old is stale) are ineffective. Every day that goes by without having updated data from patients, devices and investigators reduces the relevance and efficacy of remote monitoring.
Real-time data is a sine-que-non for RBM.
Sponsors and Contract research organizations (CROs) should therefore approach real-time data and risk-based monitoring (RBM) as 2 closely related priorities for executing clinical trials. Use of modern data technologies for real-time data collection and remote risk-based monitoring will reduce non-value added rework, people and paper in clinical trials and help speed up time to statistical report.
This post reviews the importance of 1) proper study design, 2) good data modeling and 3) realistic estimation of project timetables. The article concludes with a discussion of eSource and attempts to dispel some of the myths including how DIY EDC study build save time (they don’t).
The trend of DIY: good for EDC vendors, less good for sponsors
The trend for small studies/IIS (investigator-initiated studies) is to use cloud EDC applications
that enable end-users to build eCRF and edit checks using a graphical user interface. This so-called DIY (do-it-yourself) approach is used by most cloud EDC vendors such as Medrio and Clincapture as a way of lowering their barriers to entry to the market.
However – what is good for vendors (lowered barriers to entry) is not necessarily good for sponsors (faster time to market of their innovative drug or medical device).
Patients in medical device clinical trials are on their phones. On their phones for WhatsApp and for monitoring chronic conditions and reporting outcomes at home, at work and in the middle of a call to their friends.
Medtech developers are looking to make their product development process as effective as possible and are facing conflicting requirements when it comes to meeting regulatory requirements and reimbursement opportunities.
Danny Lieberman, founder and CEO of FlaskData.io the leading cloud provider of
clinical compliance as a service, talks about breaking out of a patient compliance
checklist mentality by starting with one question.
The 3 pillars of GCP (good clinical practice)
1. Patient safety
2. Protocol compliance
3. Data quality
(We note that setting the focus on the primary clinical and safety end-points results in formulation of GCP as an exercise in optimizing patient compliance to the protocol.)
With the understanding that clinical trial site monitors commonly use checklists for their site visits our first question is to challenge the utility of checklists:
To what extent do fixed checklists enable the study monitor and sponsor
to assess the impact that study deviations have on protocol compliance?
Take for example the activity of monitoring IC (informed consent); a best practice informed
consent monitoring checklist looka like this:
Informed consent monitoring checklist
1. Was the consent form used, and translated versions, approved by the IRB?
2. Was the ICF the most current and approved version?
3. If the consent is available in more than one language, was the participant given a chance to choose the language he/she prefers?
4. Did the participant receive full explanation of the contents of the ICF?
5. Did the participant have ample time to ask any questions and were they addressed adequately? Was the ICF signed before any study procedures? (N/A if the trial has received an exemption from IRB to consent after some study procedures)
6. If the subject is unable to read, was an independent witness present throughout the consent process?
7. Was the participant coerced?
8. Did the participant apparently understand the contents of the ICF?
9. Was IC form signed appropriately?
10. Was the environment suitable for the IC process?
(Courtesy of Global Health Trials)
You can check-off 11 items on the list but there is only 1 question that matters:
“Are there patients participating now in the study who did not sign the ICF (informed consent form)”
Why does the version or the environment matter if the patient is enrolled without informed consent? How does this checklist evaluate the impact of deviations? Does the checklist provide any quantitative measures of patient compliance?
After you ask that 1 question – (Are are any patients enrolled who did not sign ICF?) you can go on to quantify the impact (by asking how many patients are enrolled in the study without signed ICF) and then proceed to provide corrective and preventive actions.
In this article we suggest considering an alternative approach based on generating and analyzing multiple threat scenarios for the clinical study being monitored.
Since clinical trial data is highly-dimensional (typically 500-1000+ dimensions) we may reap significant benefits from this approach since with so many dimensions there tend to be many unconnected and undiscovered stovepipes of compliance and data governance.
Multiple threat scenarios enable auditors and study monitors to side-step large scale self-assessment checklists and problematic integration of data across stovepipes (large drug studies and large CROS like Quintiles, PPD and ICON typically use multiple systems from multiple vendors creating multiple unconnected stovepipes of data – one of the key reasons it takes 5-7 weeks to respond to a deviation) and focus on key assets, attacks and common vulnerabilities in key operational processes of the clinical trial like informed consent, eligibility criteria and treatment compliance (whether treatment is self-administered by the patient or administered by medical staff in a hospital).
In our experience, the sponsor is primarily interested in how cheaply the audit can be done and how much time and money they can save further down the road. For the business unit developing the medical device or drug, using a technique of multiple threat analysis will help show the best and most cost-effective way to progress from audit to patient compliance.
Do you base your regulatory affairs policy on Google?
You can do some homework online and then hire a clinical regulatory and compliance consultant who will walk you through the various GCP requirements and help you implement as many items as possible. This seems like a reasonable approach, but the more controls you implement, the more money you spend and moreover, you do not necessarily know if your risk posture has improved since you have not examined your value at risk – i.e how much money it will cost you for rework if more patients have to be enrolled due to non-adherence to protocol. Recall that patient protocol compliance is central to the success of your clinical trial and the defense of your claims with the FDA should rely on your experimental design, data and risk-analysis and not on the percentage SDV (source document verification) that study monitors performed.
Taking a page out of the privacy and security playbook, we want to do a top-down risk analysis, and then continue with risk management and periodic protocol compliance activity review during the course of the clinical trial.
The best way to do that top down risk analysis is to build probable threat scenarios – considering what could go wrong – sites doing shoddy data entry or a hacker sniffing the hospital wired LAN for PHI and destroying the integrity of your randomized controlled trial.
Threat scenarios as an alternative to compliance check lists
When we perform a software security assessment of a medical device or healthcare system, we think in terms of “threat scenarios” or “attack scenarios”, and the result of that thinking manifests itself in planning, penetration testing, security countermeasures, and follow-up for compliance. The threat scenarios are not “one size fits all”.
The threat scenarios for clinical trials for AIDS diagnostics using medical devices that automatically scan and analyze blood samples, or an Army hospital using a networked brain scanning device to diagnose soldiers with head injuries, or an implanted cardiac device with mobile connectivity or immunotherapy treatment for cancer are all totally different.
We evaluate the medical device / investigational product from an attacker point of view, then from the management team point of view, and then recommend specific cost-effective, security countermeasures to mitigate the damage from the most likely attacks.
In our experience, building a risk control portfolio based on attack scenarios has 3 clear benefits;
1. A robust, cost-effective monitoring portfolio based on attack analysis results in robust compliance over time since you now have a formal methodology for evaluating new emerging issues such as mobile devices or changes to regulation.
2. Executives related well to the concepts of threat modeling / attack analysis. Competing, understanding the value of their assets, taking risks and protecting themselves from attackers is really, at the end of the day why executives get the big bucks.
3. Threat scenarios are a common language between IT, clinical operations teams and the business area managers. This last benefit is extremely important in your organization, since business delegates compliance to regulatory affairs and regulatory affairs delegates assessment to the site monitor teams and there is clearly a disconnect by the time you go from a business manager to a CRA.
As I wrote in a previous essay “The valley of death between IT and security“, there is a fundamental disconnect between IT operations (built on maintaining predictable business processes) and security operations (built on mitigating vulnerabilities).
The disconnect between sponsor business management and site monitors.
Business executives delegate clinical operations to VP Clinical who delegates to CROs who delegate compliance to sites on the tacit assumption that each are the experts in their own particular domain. This is a necessary but not sufficient condition.
In the current environment of rapidly evolving types of attacks (hacktivisim, nation-state attacks, credit card attacks mounted by organized crime, script kiddies, competitors and malicious insiders and more…), it is essential that business managers, sites and regulatory affairs professionals, communicate effectively regarding the types of attacks that their organization may face and what is the potential business impact on the clinical trial.
If you have any doubt about the importance of sponsors sharing data with sites, consider that leading up to 9/11, the CIA had intelligence on Al Qaeda terrorists and the FBI investigated people taking flying lessons, but no one asked the question why Arabs were learning to fly planes but not land them.
With fundamental disconnects between 3 key stakeholders of clinical data (sites, monitors and sponsors), it is no wonder that organizations are having difficult assessing GCP compliance in a timely fashion –
Sponsors, monitors and sites (and increasingly patients) need a common language to execute their mission, and I submit that building risk control portfolio de your clinical trial around most likely threat scenarios from an attacker perspective is the best way to cross that valley of death.
There seems to be a tacit assumption with pharma and medtech executives that regulatory compliance is already a common language of compliance for a clinical trial, but as we demonstrated at the beginning of this article, compliance checklists like ICF monitoring etc, are a dangerous replacement for not thinking through the most likely threats to your clinical trials.
Let me illustrate why compliance checklists are not the common language we need by taking an example from another compliance area – credit cards.
PCI DSS 2.0 has an obsessive preoccupation with anti-virus. It does not matter if you have a 16 quad-core Linux database server that is not attached the Internet with no removable device nor Windows connectivity.
PCI DSS 2.0 wants you to install an anti-virus and open the server up to the Internet for the daily anti-virus signature updates. This is an example of a compliance control policy that is not rooted in a probable threat scenario that creates additional vulnerabilities for the business.
Consider some deeper ramifications of check-list-based compliance to the protocol.
When a QSA or HIPAA auditor records an encounter with a customer, he records the planning, penetration testing, controls, and follow-up, not under a threat scenario, but under a control item (like access control). The next auditor that reviews the compliance posture of the business needs to read about the planning, testing, controls, and follow-up and then reverse-engineer the process to arrive at which threats are exploiting which vulnerabilities.
In the cyber security space, actors such as government agencies (DHS for example) and security researchers go through the same process. They all have their own methods of churning through the planning, test results, controls, and follow-up, to reverse-engineer the data in order to arrive at which threats are exploiting which vulnerabilities.
This ongoing process of “reverse-engineering” is the root cause for a series of additional problems:
1. Lack of overview of the the threats and vulnerabilities to clinical trials that really count.
2. No sufficient connection to best practice controls, no indication on which controls to follow or which have been followed.
3. No connection between controls and protocol deviation events, except circumstantial.
4. No ability to detect and warn for negative interactions between controls (for example – edit checks that generate large number of queries on every field, hobbling the ability of the sites to collect data in a timely manner).
5. No archiving or demoting of less important and solved threat scenarios (since the checklists are control based).
6. Lack of overview of compliance status of a particular site, only a series of historical observations disclosed or not disclosed. (Is Bank of America getting better at data security or worse? Is the Department of Clinical Neuropathology at King’s College Hospital getting better at GCP compliance or worse?)
7. An excess of paper documents that cannot possibly be read by the regulatory and clinical affairs manager at every encounter.
8. Regulatory and data borders are hard to define since the border definitions are networks, systems and applications not
Beyond checklists – using value at risk to assess impact of patient compliance violations
Checklists are good for ensuring a repeatable process but threats to your study are rooted in unforeseen events like patients without informed consent. Your threat scenarios should consider your study assets (your data, systems, management attention, reputation) values, vulnerabilities, threats and effective security countermeasures.
Threat analysis as a methodology for monitoring your clinical trial does not count activities like site visits and SDV. It is a systematic way to help you consider the fastest and most cost-effective way to reduce your risks of protocol non-compliance, safety and data quality.
How to secure your data in mobile medical device clinical trials
So you are getting ready to run medical device clinical trials with your mobile medical app or a medical appliance that is connected to the Internet via Wifi in the patient’s home network.
How do you secure your device and your cloud systems and how do you comply with the HIPAA Security Rule that is a requirement when you work with hospitals and exchange clinical data inside the United States.
Security starts with understanding network connectivity and clinical data flows.
Danny talks about how to strike a good balance between people and technology for monitoring medical device clinical trials.
Are real-time alerts too much of a good thing for monitoring your study? Maybe real-time alerts for patient compliance in medtech studies is just a fad – a fad just like WhatsApp.
I had a conversation with my friend John who has worked for years in digital technologies in the public education space. With over a billion people on social media, John was concerned that the human element is getting trashed.
My answer to him was – “No way”. People, both individually and collectively after they go through a change (especially a big technology change) they tend to return to a state of homeostasis.
The homeostasis of information
Stop for a moment and consider how much of your data sharing and private messaging interaction is digital and how much is paper and then ask yourself why clinical trial compliance monitoring is still dependent upon paper interactions.